DLL-Injector/DLL-Injector.cpp at main · zer0matt/DLL-Injector · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
// DLL-Injector.cpp

#include <windows.h>
#include <iostream>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "cxxopts.hpp"

int main(int argc, char **argv){
	int pid = 0;
	char bufferA[MAX_PATH];

	// To build our injector, we're gonna use VirtualAllocEx() and WriteProcessMemory() syscalls
	cxxopts::Options options("DLL Injector", "Basic DLL Injector for fun");
	options.add_options()
		("p,pid", "Target Process ID", cxxopts::value<int>())
		("t,target", "Target DLL file", cxxopts::value<std::string>())
    	("h,help", "Print usage");


	auto result = options.parse(argc, argv);

	if (result.count("help")){
      std::cout << options.help() << std::endl;
      exit(0);
    }

    if(!result.count("pid") || !result.count("target")){
    	std::cerr << "\nPlease specify a pid and a target\nUse -h option for usage\n";
    	exit(1);
	}

    if(!result.count("pid") && !result.count("target")){
    	std::cerr << "\nPlease see usage with -h option\n";
    	std::cout << options.help() << std::endl;
    	exit(1);
	}

	if(result.count("pid")){
		pid = result["pid"].as<int>();
	}

    if(result.count("target")){
    	std::string bufferB = result["target"].as<std::string>();
    	std::cout << bufferB << std::endl;
    	std::strncpy(bufferA, bufferB.c_str(), MAX_PATH - 1);
        bufferA[MAX_PATH - 1] = '\0';
        std::cout << "Stringa std::string: " << bufferB << "\n";
        std::cout << "Buffer char[]: " << bufferA << "\n";
	}


	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	if (hProcess == NULL) { // Failed to get a handle
		printf("\nOpenProcess failed. GetLastError = %d\n", GetLastError());
		system("pause");
		return EXIT_FAILURE;
	}
	else {
		printf("\nOpenProcess succedeed with code: %d\n", GetLastError());
	}


	const size_t payloadlen = strlen(bufferA)+1;

	LPVOID remoteMem = VirtualAllocEx(hProcess, nullptr, payloadlen, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

	if (!remoteMem) {
		printf("VirtualAllocEx filed. GetLastError = %d\n", GetLastError());
	    CloseHandle(hProcess);
	    system("pause");
		return EXIT_FAILURE;
	} else{
		printf("\nMemory allocated with VirtualAllocEx at address: %p\n", remoteMem);
		system("pause");
	}


	printf("\nAllocating %s in process with PID %d\n", bufferA, pid);

	// Write on the target process memory

	bool wpm = WriteProcessMemory(hProcess, (LPVOID)remoteMem, &bufferA, payloadlen, NULL);

	if (wpm == false) {
		printf("\nWriteProcessMemory failed. GetLastError = %d\n", GetLastError());
		system("pause");
		return EXIT_FAILURE;
	}
	else {
		printf("\nWriteProcessMemory succedeed with code: %d\n", GetLastError());
		system("pause");
	}


	// Now let's create the remote thread on the target process memory context

	HANDLE remoteThread = CreateRemoteThread(hProcess, NULL, 0, (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"), (LPVOID)remoteMem, 0, NULL);
	if(remoteThread == NULL){
		printf("\nCreateRemoteThread failed. GetLastError = %d\n", GetLastError());
		system("pause");
		return EXIT_FAILURE;
	} else{
		printf("\nCreateRemoteThread succedeed with code: %d\n", GetLastError());
		system("pause");
	}


	return 0;
}